Cisco Security Advisory Lingo Demystified

It is almost that time of year again. Our Product Security Incident Response Team (PSIRT) is readying the release of the next bundle of security advisories for Cisco IOS. As stated in the original announcement, bundles are released on the fourth Wednesday in March and September; the next bundle is scheduled for September 23rd. With that in mind, I wanted to take the opportunity to explain some of the wording that is used in advisories.

I can assure you that there is a large effort applied to every security advisory by our technical, legal, and public relations teams to make sure the advisory is both clear and concise. At the same time though, I think reinforcing some key phrases will help you do the important work—assessing your risk due to an advisory—instead of working to understand the words themselves.

Unless you live and breathe security, you might find phrases such as “the improper handling of a crafted packet may allow an unauthenticated attacker to perform remote code execution” to be confusing. Along the same lines, what are mitigations and how are they different than workarounds? What in the world are CoPP and iACLs and can they buy time before an upgrade is required?

The following are some of the key words and phrases that you might encounter when reviewing a Cisco Security Advisory. There are certainly others, but these are the ones that occur frequently and that relate to the core content of the advisory. Before you ask, I know these are not listed alphabetically; I’ve listed them in the order in which you might find them while reading an advisory.

Denial of Service: An interruption in the service provided by a device. A denial of service, or DoS, can take several forms including a device crash or the unavailability of an individual service or protocol. Depending on the vulnerability, manual human intervention may be required to recover from a successful DoS attack.

Remote Code Execution: The processing of instructions supplied to the vulnerable device by a remote attacker. For attackers, this is of great value. If an attacker can successfully exploit a vulnerability that allows remote code execution, they can likely perform any actions they wish on the affected device.

Privilege Escalation: The attainment of privileges beyond what is intended by a system or system administrator. Generally speaking, vulnerabilities that allow privilege escalation allow regular, authenticated users to obtain a privilege or privileges that are usually reserved for administrators. This was the case in Cisco IOS Software Secure Copy Privilege Escalation Vulnerability.

Crafted Packet: A packet that has been specifically created or altered after creation by some sort of human action. By definition, a crafted packet is not something that should be seen during the normal operation of a network, but something intentionally created either maliciously or otherwise.

Malformed Packet: A packet that does not conform to the appropriate standards or specifications. Malformed packets may be crafted intentionally or the result of a software bug or bad protocol implementation. These packets may or may not be seen during normal network operations.

Authenticated User: This phrase is used to indicate that an “attacker” must have supplied some form of valid credentials before they can successfully perform an attack. Although credentials typically equate to a username and password, that is not always the case. For example, the “shared secret” commonly used in IPSec deployments can be considered “credentials” in the context of a security advisory.

Unauthenticated Attacker: An attacker without any sort of valid credentials. If a vulnerability can be triggered by an unauthenticated attacker that indicates that no authentication whatsoever is required for a vulnerability to be exploited.

Workaround: Steps taken or changes made to a device that cause a device to no longer be affected by the vulnerability. Although it may seem like a silly example, if only service X is vulnerable and that service is not truly required, disabling service X is a valid workaround. Workarounds are generally something that should only be applied temporarily until the device can be upgraded to a software revision that does not contain the vulnerability.

Mitigation: Steps or actions taken to minimize, but not remove, exposure to a vulnerability. Applying an access control list on another device may mitigate a potenial attack by dropping malicious packets, but strictly speaking, the vulnerable device is still vulnerable. Like workarounds, mitigations should be viewed as a stopgap and not a permanent solution.

Access Control List:Access control lists, or ACLs, are filtering mechanisms present on many network devices. Generally speaking, ACLs permit or deny network traffic based on the Layer 3 or Layer 4 characteristics of the packet. For example, the following ACL excerpt from a Cisco IOS device denies telnet traffic on TCP port 23, but allows SSH traffic on TCP port 22.

Once created, ACLs used for traffic filtering are applied to network interfaces in either the inbound or outbound direction.

Infrastructure Access Control List: Infrastructure ACLs (iACLs) are a technique through which ACLs are applied around the outside of a network, creating a hard shell if you will. Infrastructure ACLs aim to filter incoming network traffic that is targeted to the network itself while allowing all other traffic to travel across the network. Please see Protecting Your Core: Infrastructure Protection Access Control Lists for more information.

Control Plane Policing: Control Plane Policing (CoPP) is a security feature on Cisco IOS devices that permits, denies, or rate limits network traffic to a network device. It is a subtle, but very important point; CoPP filters traffic to a network device, not through it. In the context of security advisories, CoPP allows us to deny certain, potentially malicious, traffic on a network device without applying an ACL to all interfaces on the device. This single point of application coupled with the characteristic that it only affects traffic to the device makes CoPP a natural fit when looking to filter malicious traffic to a network device.

Now that you are armed with a better understanding of these key words and phrases you can focus on the important work, determining how these advisories affect your network and users.

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.